What we scan

Each week the orchestrator clones target repositories and runsoffsend report — the same public-safe mode available in the Offsend CLI. Checks are path-level only:

  • Exposed patterns — sensitive file categories (e.g. .env, key material) visible at the path level
  • Ignore file coverage — presence of AI-oriented ignore files (.cursorignore, .claudeignore, project rules, and similar)

Scans use shallow clones of a single ref per repository from the weekly cohort list.

What we do not scan or publish

  • File contents, secret values, tokens, or credentials
  • Exact file paths or filenames in public exports
  • Repository names alongside findings unless the maintainer opted in
  • Claims of security, compliance, or “secret-free” status

Private orchestration metadata stays in the privateradar-state repository and is never copied to public exports — except for opted-in named listings.

How repositories are selected

Weekly cohorts are defined manually in radar-state/targets/<week>.yml — typically open-source repositories the Offsend team tracks or that maintainers opt into. Repos can be skipped when archived or deprecated.

Named public listings

Repository names appear on this site only when a maintainer has consented viaradar-state/registry/public-listings.yml. Listings use positive framing (e.g. “AI Context Reviewed”), not blame-oriented labels. Fleet aggregates remain anonymous.

How to opt in →

How results are sanitized

  1. offsend report produces anonymized per-repo JSON (pattern IDs and counts, no paths).
  2. Fleet aggregates roll up counts across repos in the private data store.
  3. export/<week>/summary.json is the public-safe subset — fleet aggregates plus opted-in listings.
  4. This site renders only the export data.

Reproduce checks locally

brew install --cask offsend/tap/offsend-cli
offsend show
offsend report . --out report.json

Everything runs locally. No file contents are uploaded.

Principles

  • Path-level by default — structure and ignore files, not file contents
  • No secrets collection — reports must not contain sensitive values
  • No public shaming — aggregate patterns, not individual blame
  • Opt-in for names — maintainers choose whether to appear by name
  • No security claims — hygiene signals only, not certification